The federal consumer watchdog said Friday that it
has launched an investigation into RushCard, a prepaid debit-card
business co-founded by hip-hop music producer Russell Simmons after
thousands of customers lost access to funds in their accounts.

Mr. Simmons has said on RushCard’s Facebookpage that a technology update on Oct. 12 triggered a series of
problems that cut off some customers’ access to their money. Some
customers’ cards were deactivated and others saw the same
transaction appear twice in their statements, he said.

In a post on Wednesday, Mr. Simmons said the
company had been debugging its systems and that most customers’
cards should be working normally.

… Prepaid cards, which target low-income
consumers who lack regular checking accounts or credit cards, are
among the fastest-growing financial products in the U.S., with an
estimated 16 million cards in circulation.

Customers load cash or receive direct deposits
from employers, and use them to make payments, store funds or get
cash at ATMs.

Lots of interesting angles to this one. Is the
ransom demand from the hacker or someone pretending to be the hacker.
Are we headed toward “security by contract?” I guess we'll have
to stay tuned.

… Police are investigating a ransom demand
sent to the telecoms company after its chief executive, Dido Harding,
said a person claiming to be the hacker had contacted her directly
and demanded money in exchange for the data.

Oliver Parry, the Institute of Directors’ senior
corporate governance adviser, told the BBC that police should make
cybercrime an urgent priority, but added that companies “are
ultimately responsible for protecting their customers’ data”.

There have been questions about how well TalkTalk
secured its customers’ data after Harding admitted she did not know
whether details including names, addresses and bank account numbers
were encrypted. It was the company’s third major data breach in
the past year.

… Proof
of adequate cyber security could be made a condition of government
contracts, said Hazel Blears, the former MP who has been
counter-terrorism minister and a member of the parliamentary
intelligence and security committee.

She said the UK had been “a little bit tardy”
in waking up to the scale of the threat but must now seek tougher
rules to ensure data was protected.

One
shows a man presumably working at an intelligence agency who
unknowingly passes information along to a “foreign intel ops
center” by looking for a new job on Facebook. Another
encourages intelligence officials to protect themselves from “social
media deception.”

… The feds want access to an iPhone 5s owned
by a man who's now a defendant in a drug case and currently facing
accusations of possessing and distributing meth. Apple has declined
to hand over the keys to iOS, stating that, among several reasons,
any backdoor access creates new vulnerabilities.

… Apple argued that giving the government
special access into iOS, which it touts as being out of reach of
federal snoops, would "tarnish the Apple brand."

"Absent Apple's assistance, the government
cannot access that evidence without risking its destruction. But
Apple can," states
the court brief (PDF).

Apple has assisted in federal cases before by
extracting the requested data and passing it along to law enforcement
agencies, the DOJ reasoned in the brief.

So with Apple unwilling to budge and court orders
falling flat, thus far, the department changed its tactics and is now
arguing that the company "is not far removed from this matter."

Apple designed, built and sold the iPhone 5s in
question. But that's just the beginning, the government stated.

"Apple wrote and owns the software that runs
the phone, and this software is thwarting the execution of the
warrant," the justice department added. "Apple's software
licensing agreement specifies that iOS 7 software is 'licensed, not
sold' and that users are merely granted 'a limited non-exclusive
license to use the iOS Software.'"

From there, the DOJ calls into question the legal
protection of Apple as a licensor of software.

… For privacy watchdogs, the above argument
might invoke goosebumps. If the DOJ's reasoning stands, it could
take up that strategy with other companies giving out licenses to
software.

Amazon.com, Google, and Microsoft all topped
profit estimates last quarter, highlighting the widening gulf between
companies that deliver computing via server-laden warehouses and a
generation of latecomers to the cloud boom. Together, the three
companies added $86 billion in market cap following their earnings
reports on Thursday.

The trio shares a reliance on technology that
comes from powerful machines lashed together in bunkers the size of
football fields. These data centers are capable of providing a broad
range of services at a low cost—be it Microsoft's personal and
business software, Amazon's e-commerce and computing power, or
Google's Web search and advertising algorithms. Contrast that with
technology firms, such as IBM, Hewlett-Packard, EMC, and Oracle,
which are suffering from slowing growth or declines as cloud
operators shun traditional hardware, software, and services.

On Tuesday, Facebook debuted its long-awaited
Instant Articles feature to all users of its iPhone app. Now, when
someone taps a story in their News Feed from a select group of
publications—including The New York Times, The Washington Post,
Buzzfeed, and The Atlantic—they
access a version stored directly on Facebook’s servers, not on the
publication’s own. The company has started to test the
feature on Android phones as well.

With the formal release of the feature, Facebook
formally ends one era in the platform wars and begins another.

… Very soon, every digital publisher,
journalistic or non, that wants to be a serious online player will
host a large portion of their content on Facebook’s servers. The
Instant Articles is just too good to resist, and I think the penalty
for resisting will be too high. And then we all, Facebook and the
media sector alike, will have to deal with the consequences—whether
the comparisons to feudalism are correct or not.

Amusing. I don't always have the time to read the
longer articles, but I know where to look when I do. It's in my RSS
feed.

“JSTORDaily offers a fresh way for people to understand and
contextualize their world. Our writers provide insight, commentary,
and analysis of ideas, research, and current events, tapping into the
rich scholarship on JSTOR,
a digital library of more than 2,000 academic journals, dating back
to the first volume ever published, along with thousands of
monographs, and other material. In addition to weekly feature
articles, the magazine publishes daily blog posts that provide the
backstory to complex issues of the day in a variety of subject areas,
interviews with and profiles of scholars and their work, and much
more. Our idea of a good story is one that:

tells
thought-provoking stories that appeal to a general reader

draws on scholarly
research to provide fresh insight into the news media and current
affairs

deepens our
understanding of our world

highlights the
amazing content found on JSTOR

exposes the work of scholars who are using
JSTOR to conduct their research”

… Via
Inside Higher Ed: “On Wednesday 72 women’s and civil rights
organizations urged the
U.S. Education Department to tell colleges that they must monitor
anonymous apps like Yik Yak – frequently the source of
sexist and racist comments about named or identifiable students –
and do something to protect those students who are named. The groups
said they view anonymous online abuse as an emerging issue under
provisions of the Title IX of the Education Amendments of 1972.”

… Via
Inside Higher Ed: “The University of Kentucky is asking a small
distillery, Kentucky Mist Moonshine, to stop using the word
‘Kentucky’ on T-shirts and other materials, saying that the word
is covered by a university trademark.”

… From a paper titled “Changing
Distributions: How Online College Classes Alter Student and Professor
Performance”: “Using an instrumental variables approach and
data from DeVry University, this study finds that, on average, online
course-taking reduces student learning by one-third to one-quarter of
a standard deviation compared to conventional in-person classes.
Taking a course online also reduces student learning in future
courses and persistence in college.”

It's not clear who is behind the hack yet, but a
group claiming to be a Russian jihadist cyberterrorist group is
claiming responsibility. BuzzFeed
has spoken to a TalkTalk customer included in an apparent
preliminary dump of customer data, and it appears to be legitimate —
although the hacker's stated political affiliation could well be
false.

… The
company has around 4 million UK customers.

The
BBC is reporting that TalkTalk's website was targeted by a DDoS
attack — overwhelming servers with traffic. This on its own
wouldn't give the attacker access to internal data, however.

… It's not yet clear whether the hackers
gained access to customers' full credit card details, or if they were
at least partially encrypted (if they weren't, it'd be a major
security issue). The company says that "not all of the data was
encrypted" — had it been, it would be very difficult for the
attacker to make any sense of.

Better late than never? The original collector of
Big Data has finally realize they can use all that data they
insist on gathering! But of course since they have never done
anything with that data, they don't know what to do with it. (This
is apparently so obvious that it only take 2 pages to report
everything they already knew?)

U.S. government agencies appear to have gotten the
memo: Big data is good for you.

Federal agencies' acquisition, storage, processing
and management of almost unimaginably large chunks of information
will drive the government to use big data technologies, according to
a recent survey of federal information technology managers.

In addition, the use of big data analytics to
productively maximize the value of all this information will become a
major goal of government agencies, the survey showed.

To accomplish those goals, federal IT managers
increasingly are seeking the support of the private sector.

Forty-six percent of respondents planned to
increase use of third-party contractors or consultants to assist with
big data projects, according to the survey, which was sponsored by
Unisys
Federal. Another 52 percent intended to maintain their current level
of engagement with outside providers.

House leaders are hosting a "hackathon"
on Capitol Hill intended to find ways for technology to help
congressional staffers with their jobs.

House Majority Leader Kevin McCarthy (R-Calif.)
and House Minority Whip Steny Hoyer (D-Md.) are hosting the event
Friday, which follows a similar gathering in late 2011 that was
summarized in an 18-page
report.

Tech
company employees are scheduled to meet with congressional staff and
other open government advocates to "brainstorm" ideas to
modernize hearings, as well as ease legislative workflow, constituent
services and outreach.

The Open Government Foundation recently
estimated about 12 percent of the government's budget
goes to tech spending, including IT staff, technical support,
maintenance and software. Still many have criticized Congress, and
the government in general, for being far behind the private sector in
adopting new technology.

Because humans don't think like a computer? Will
that be a good thing? I'd like some say on how machine learning
reorganizes my life.

… New Google CEO Sundar Pichai took part in
his first earnings call, and in between discussing the numbers he
revealed how important Google thinks machine learning is to its
future.

”Machine learning is a core, transformative way
by which we’re rethinking everything we’re doing,” he said.

He was putting the spotlight on a branch of
artificial intelligence that’s getting more attention lately. It
involves using computer algorithms that can “learn” over time. A
common example is its use in email, where machine learning figures
out from watching users’ behavior which emails are spam and which
should be let through.

… He didn’t give examples, but it’s not
hard to imagine where it might turn up. He mentioned machine
learning in the context of mobile, for example, where machine
learning could determine if a user is at work, at home or in their
car, so that their phone can deliver information accordingly.

Most academic journals charge expensive
subscriptions and, for those without a login, fees
of $30 or more per article. Now academics are using the hashtag
#icanhazpdf to freely share copyrighted papers.

Scientists are tweeting a link of the paywalled
article along with their email address in the hashtag—a riff on the
infamous
meme of a fluffy cat’s “I Can Has Cheezburger?” line.
Someone else who does have access to the article downloads a pdf of
the paper and emails the file to the person requesting it. The
initial tweet is then deleted as soon as the requester receives the
file.

Andrea Kuszewski, a San
Francisco-based cognitive scientist who started the hashtag,
tells Quartz that “the biggest rule is that you don’t
thank people.” Those who willingly share papers are, in most
cases, breaking copyright laws. But Kuszewski says it’s an
important act of “civil disobedience,” adding “it’s not an
aggressive act but it’s just a way of saying things need to
change.”

Social media is a
limitless focus group. Each tweet, like, post, or comment
represents an active decision by a person to interact with another
person, brand, or TV program culminating in a detailed individual
profile. The data provides marketers the opportunity to observe
people in their native environments — their own social groups and
with brands — while also tracking shifts in taste and behavior over
time. Combining trillions of these data points provides
unprecedented insight into consumer interests and predictive
associations.

… it turns out that social media turns up all
sorts of unpredictable and unexpected correlations.

In addition to providing a more holistic
understanding of a brand’s consumers, these non-obvious
relationships enable marketers to reach untapped consumers in an
addressable way and at a reduced cost. For ambitious marketers, this
means tailoring campaigns around each high priority interest.

Facebook
is unleashing universal search across its entire social network

… Because Facebook commands the lion's share
of our time spent online, it hosts a huge percentage of the links we
share from around the web and the discussions we have around news,
personal interests, and other moments in our lives. Facebook's
search team is now turning that firehose of human interaction, which
already generates 1.5
billion daily searches, into a vast repository of
discussion, searchable by anyone.

Is this Wall Street Journal column pro-Republican
or merely anti-Hillary? (Worst case? They she is being completely
neutral.)

Thanks to Hillary Clinton’s Benghazi testimony
on Thursday, we now understand why the former secretary of state
never wanted anyone to see her emails and why the State Department
sat on documents. Turns out those emails and papers show that the
Obama administration deliberately misled the nation about the deadly
events in Libya on Sept. 11, 2012.

(Related) These GIFs are more likely to do
Hillary harm. Are these the reactions of a serious politician or an
amateur actor?

The 10
Cheapest Mobile Phone Plans in the US Right Now [Cheat Sheet
Included]

… Two quick notes: first, for the purposes of
this article, I’ll only be looking at plans that include at least
some mobile data. If you’re looking for a plan that only includes
calling and texting, or just calling, you can find even cheaper plans
than these. Second, many of these plans are based around an idea
called “Wi-Fi first” which means that if you’re connected to
Wi-Fi, your calls and messages will be routed via the Wi-Fi instead
of through your cellular network.

Thursday, October 22, 2015

The theft of a computer and hard-drive
containing the names and stories of people who survived the war in El
Salvador has human rights workers on edge. The break-in happened in
Smith Hall, in the offices of the University
of Washington’s Center for Human Rights, or CHR.

UW’s Campus Police Department says
sometime between October 14-18, Dr. Angelina Godoy’s desktop
computer and an external hard drive were taken. Godoy is CHR’s
Director. There was no sign of forced entry.

The stolen devices contain personal
testimonies that are part of ongoing human rights investigations
involving survivors of the war in El Salvador, a civil war that
killed more than 75,000 people between 1980 and 1991. During the
conflict the US provided military aid to the Salvadoran Government.

The center’s lawsuit alleges that the
CIA is illegally withholding information about an El Salvador army
officer who is suspected of human rights violations during that
Central American country’s civil war in the 1980s.

Center
officials say they have backup copies of the information on the
computer drives, but they’re concerned because the
drives had about 90 percent of the information being used in the
lawsuit, including sensitive details about personal testimonies and
pending investigations.

WikiLeaks on Wednesday released documents
it said had been collected from CIA director John Brennan’s
personal AOL account, the first in what the group said would be a
series of publications.

[…]

The embarrassing leaks include a
questionnaire for the official’s security clearance marked: “Review
copy – Do not retain.”

Other documents included an early version
of the Limitations
on Interrogations Techniques Act of 2008, a bill defining the
limits of interrogation methods. Also released was a letter from
Missouri Republican senator Christopher Bond, then a member of the
Senate select committee on intelligence.

All
the documents in the WikiLeaks cache are from 2008 and before.
Brennan assumed office in 2013.

Law
enforcement: Phone spying software not capable of collecting content

Cell phone spying technology used by federal law
enforcement will not have the software capability to scoop up
individuals' actual communications, like texts or pictures, law
enforcement officials said Tuesday.

Officials from the Justice Department and the
Department of Homeland Security (DHS) told lawmakers the devices will
not be configured to collect the actual content from people's
phones.

… DHS said its use of the technology in the
past never scooped up actual content from mobile phones, while the
Justice Department demurred.

"I will have to get back to you about what
the policy said," Tyrangiel said.

Bad procedure. “This data is really, really
important, but we didn't bother to protect it.” It's not like the
name change came as a surprise. (Goes to the “Right to be
remembered” issue?)

Child sex abuse survivors in Britain are
calling for an investigation after discovering some testimonies may
have been deleted due to a technical error.

Claims of paedophiles in Westminster in
the 1980s sparked the inquiry and cases under investigation could
date back to the 1970s.

But the inquiry’s website has said
information victims
submitted between 14 September and 2 October was deleted before it
reached the investigation’s engagement team.

“Due to a change in our website address
to www.iicsa.org.uk on 14 September, any information submitted to the
inquiry between 14 September and 2 October through the online form on
the ‘Share your experience’ page of our website, was instantly
and permanently deleted before it reached our engagement team,” it
said.

Bill Maris has a simple proposition for those who
are a little freaked out by his efforts to digitize human DNA: “If
we each keep our genetic information secret, then we’re all going
to die.” OK then.

The Google Ventures managing partner has shifted
the firm’s focus this year to investing in companies that aim
to slow aging, reverse disease, and extend life. Many of those
life-sciences companies do this by collecting customers’ genetic
information and looking for trends.

That’s because people constantly leave traces of
their genomic material lying around in public. If someone really
wanted the information, they don’t need to hack a server. They
could just pull a cup with your saliva out of the trash and test it,
said Maris

… Healthcare is indeed a major target for
cybercriminals, Raytheon|Websense found in a report released last
month. The healthcare sector experiences 340 percent more security
incidents and attacks than the average for other industries, and it
is more than 200 percent more likely to encounter data theft.

Advanced malware is used in one of every 600
attacks in the healthcare sector. Compared to other sectors,
healthcare is four times more likely to be hit by advanced malware.

Twitter
buys Fastlane, a popular tool for building iPhone apps, and adds
Android support

Twitter has acquired Fastlane,
a set of tools that found a lot of popularity with iPhone developers
as an easy way to constantly test and update their apps.

… Also important, as far as not annoying
developers: Fastlane has always been available as a free download,
available as "open source" for programmers all over the
world to look at and improve on. Krause says his employment at
Twitter won't change that at all.

… When Xamarin first got started in 2011, it
had a simple sales pitch. Write your smartphone app in C#, and it
provides the tools to make it into an iPhone, Android, Mac, or
Windows app with a minimum of effort.

RoboVM, a tiny startup founded earlier in 2015,
has the exact same pitch — only it did it with Java.

Wednesday, October 21, 2015

How should I classify this article? It's not
really computer security nor is it a privacy violation. Should we
call it 'being a corporate good citizen?' I would not have seen the
need to scan for child porn, but maybe I need to change my thinking.
This article makes it sound much more common than I would have
believed. Is there a threshold level (some statistical level of
occurrence) such that if I have no indication a crime is being
committed I should still look for evidence of that crime?

The first alarm came within a week. It meant an
Ericsson AB
employee had used a company computer to view images categorized by
law enforcement as child sexual abuse.

“It was faster than we would have wanted,”
says Nina Macpherson, Ericsson’s chief legal officer.

In a bid to ensure none of its 114,000 staff
worldwide were using company equipment to view illegal content, in
2011 the Swedish mobile networks pioneer installed scanning software
from Netclean
Technologies AB. While many companies since then have adopted
similar measures, few have been willing to discuss their experience
publicly.

… Since installing the system, Ericsson
says it has been dealing with around one alarm each month
– each one flagging an act that could lead to prosecution.

… The alerts – invisible to the person who
triggers them – are sent via e-mail and text message to Ericsson’s
group security adviser, Patrik Håkansson, a former detective chief
inspector from Sweden’s National Police IT Crime Squad. He’s
confident that the digital fingerprint system means the software only
raises the alarm when it detects images already on an international
child abuse blacklist.

“There are no false positives; the technology
won’t show up any pictures of children on the beach,” says
Håkansson.

His job is to confirm that the illegal pictures
have indeed been handled on company equipment, and by whom. In
the U.S. the FBI must be called immediately. In other
markets Ericsson can carry out some internal investigations before
involving law enforcement.

… Ericsson employees sign a form consenting to
being observed. Does that equate to spying on staff? As long as
companies are upfront and explain to employees they are being
monitored, there “can’t be any expectation of privacy,’’ says
Stuart Neilson, a London-based employment lawyer.

That’s important, because there
are also risks for any company that knows its equipment is being used
illegally and doesn’t act. “If the organization has
evidence that an employee has been accessing these sites but has done
nothing with that evidence, then the employer might be liable,’’
Neilson says.

For my Computer Security students. If you block
sites like Reddit, then you need to watch for people using these
“work arounds.” (What we really need is a system to reduce an
employees work hours by the time they spend on non-work tasks.)

Reddit
is addictive — so much so that many people can’t even go 24
hours without it. That kind of addiction is bad news when you work
in an office environment. It’s just too tempting and too
easy to Reddit
while you work.

So if you want to make it less obvious that you’re
wasting so much of your employer’s time, you should think
about using MSOutlookit:

This site replicates the content of Reddit but
wraps it up in the aesthetics of Outlook 2007. Each email displays
the username, title, and score of each post. You can switch
subreddits by changing the email category, but the selection is a bit
limited.

Malware that targets the browser is nothing new.
But malware that replaces an already existing browser with
one designed to track online movements, hijack search traffic, and
fill each page with unwanted adverts? Yeah, that’s pretty
interesting.

The eFast Browser was discovered by the
MalwareBytes team a
few days ago, and it does all of the above, and more.

Perhaps the worst thing about eFast Browser is
that unless you’re especially observant, you might not even notice
it’s there, as it takes great pains to camouflage itself.

Sony's
Settlement With Employees Over Hacked Data Worth More Than $5.5
Million

Sony Pictures will be paying somewhere in the
neighborhood of $5.5 million to $8 million to resolve a class action
lawsuit over a large hack attack last winter that left the personal
information of employees and ex-employees vulnerable. The details of
the settlement were revealed in court papers on Monday night.

… The proposed deal contemplates a
$2 million cash fund to reimburse class members up to
$1,000 each for preventive measures taken to protect against identity
theft. Meanwhile, the
class action lawyers who represented the plaintiffs would be getting
almost $3.5 million.

Officials close to the matter at the Department of
Justice are concerned the emails Hillary Clinton sent from her
personal devices while overseas on business as U.S. Secretary of
State were breached by foreign telecoms in the countries she
visited—a list which includes China.

… The Justice Department officials also used
the words “reckless", “stunning,” and “unbelievable”
in discussing the controversy swirling around Clinton’s use of a
private, nongovernment email account, as well as her use of a
personal Blackberry, an Apple iPad, and home server while U.S.
Secretary of State. The
officials did not indicate they have any knowledge of a breach at
this point.

As for the effort to designate Clinton’s emails
as classified or unclassified, the Justice Department officials
agreed that, as one put it: “Every email she sent is classified
because she herself is classified, because she is both Secretary of
State and a former first lady.”

If you really want to protect your communication,
don't rely on someone else to encrypt your data. Do it yourself
(it's fast and free) then if these bozos decrypt their “unbreakable”
encryption for law enforcement or for their own amusement, they will
find apparent gibberish. Let them ask you for the encryption key
like good little boys and girls.

Apple Inc. told a federal judge that it “would
be impossible” to access user data on a locked iPhone running one
of the newer operating systems, but that it could likely help the
government unlock an older phone.

In
a brief filed late Monday, the company said “in most cases now
and in the future” it will be unable to assist the government in
unlocking a password-protected iPhone. The brief was filed at the
invitation of U.S. Magistrate Judge James
Orenstein, who is considering a request from the Justice Department
that he order Apple to help government investigators access a seized
iPhone.

… Judge
Orenstein, in
an earlier ruling in the case, was doubtful that he had the
authority to force Apple to help the government. The Justice
Department has said in this case and others that federal judges have
such power under the All Writs Act, an 18th-century law.

Think about cats out of bags. I may not tell you
everything I know, but I have no problem discussing any published
facts. Speculation is just that and I can come up with more
scenarios than you can possibly imagine. It's one of the things I
was trained to do.

Four weeks ago, Bart Gellman of the Century
Foundation delivered a keynote address at Purdue University’s “Dawn
or Doom?” colloquium. His topic was “The NSA, Edward Snowden,
and National Security Journalism.” As part of his lecture, Gellman
displayed slides of a handful of the documents that Snowden leaked
(some of which Gellman published in the Washington Post), which
describe certain NSA mass data collection programs, including
Upstream and PRISM. Purdue live-streamed the lecture, and told
Gellman it would be posted online shortly.

But Purdue has not posted the Gellman lecture
video. Nor, in all probability, will the video ever be posted ...
because it no longer exists: Purdue apparently “wiped” all
copies of the lecture video from university servers because it
contained screen shots of the Snowden documents. On October 8, the
organizer of the conference, Dr. Gerry McCartney, from Purdue’s
Chief Information Office, posted this statement on behalf of the
university, offering an alarming excuse for Purdue’s actions:

Purdue has been recognized as a national
leader in its commitment to freedom of expression and free and open
inquiry and debate. We reject entirely the notion that complying
with clear federal law is in any way an abridgment of those
principles. We have already acknowledged that perhaps a better way
to comply would have been to block only the classified information in
question. And if we can correct that situation, we will. But a
speaker’s decision to exercise civil disobedience does not obligate
Purdue to join him in that act.

Perspective. It occurred to me recently that I am
no longer subjected to the dreaded, “Let me show you the slides of
our vacation!” Now the send me an email with pictures attached,
which I can ignore at my leisure.

Google Photos is less than half a year old, but
it's already hit a major milestone with more
than 100 million monthly active users, the company announced
today. The unlimited photo service comes with apps available on iOS,
Android, and on the web, and it was spun off from the company's
Google+ social network in May, to much rejoicing. Google Photos was
hailed
at launch for its simplicity and for combining many of the
disparate features of competitors like Dropbox's Carousel, Apple's
iCloud, and Yahoo's Flickr into a single service.

To hit 100 million users in just five months is no
easy feat. It took both Pinterest and Twitter about
five years to hit that benchmark. Even Instagram's explosive
popularity back in 2010 meant it still took the startup around two
and a half years to reach the 100 million mark.

Useful for my students or their children? Either
way, thanks Facebook! I need to explre this more, but it really does
look useful.

… At Facebook, we’re working on a number of
initiatives to widen the pipeline and build an inclusive culture.
After looking closely at the data, we realized that one challenge is
a lack of exposure to computer science and careers in technology, as
well as a lack of resources for parents, guardians, and others who
want to learn more. In the US, this lack of access is prevalent in a
number of underrepresented groups including Black and Hispanic
communities.

Today, we’re excited to introduce TechPrep,
a resource hub where underrepresented people and their parents and
guardians can learn more about computer science and programming and
find resources to get them started. TechPrep brings together
hundreds of resources, curated based on who you are and what you
need, such as age range, skill level and what kind of resource you
are looking for. The website is designed for both English and
Spanish speakers.

Wireless
Philosophy AKA Wi-Phi is a project produced by philosophy
students and professors from Duke, Yale, Northern Illinois
University, MIT, and Duquesne University. The purpose of the project
is to philosophy through animated videos. There are currently more
than 100 videos available in the Wireless
Philosophy YouTube channel. The videos are organized into twelve
playlists covering topics like critical thinking and biases,
political philosophy, religion, Descartes, and linguistics.

Tuesday, October 20, 2015

See? It's not just Hillary. Computer security is
not a consideration in highly political environments. Good computer
security won't get you re-elected or re-appointed. (and apparently
bad computer security won't keep you from being re-elected or
re-appointed.)

The State Department was among the worst
agencies in the federal government at protecting its computer
networks while Hillary Rodham Clinton was secretary from 2009 to
2013, a situation that continued to deteriorate as John Kerry took
office and Russian hackers breached the department’s email system,
according to independent audits and interviews.

This
post describes the results of Internet scanning we recently conducted
to identify the users of FinFisher, a sophisticated and user-friendly
spyware suite sold exclusively to governments. We devise a method
for querying FinFisher’s “anonymizing proxies” to unmask the
true location of the spyware’s master servers. Since the master
servers are installed on the premises of FinFisher customers, tracing
the servers allows us to identify which governments are likely using
FinFisher. In some cases, we can trace the servers to specific
entities inside a government by correlating our scan results with
publicly available sources. Our results indicate 32 countries where
at least one government entity is likely using the spyware suite, and
we are further able to identify 10 entities by name. Despite the
2014 FinFisher breach, and subsequent disclosure of sensitive
customer data, our scanning has detected more servers in more
countries than ever before.

If you thought biometrics was the
ultimate weapon of authentication, you may be proved wrong by
Starbug. German researcher Jan Krissler, aka Starbug is a hacker
whose claim to fame is breaching Apple’s TouchID and recreating the
German defense minister’s thumbprint from a high-res image.

Starbug has revealed that he can now
decode anyone’s smartphone PIN code from any selfie “image” of
the owner.

Starbug and his colleagues have extracted
the reflection of smartphone screens in the eye whites of “selfie”
subjects, then they used an ultra-high resolution image techniques to
extract the user’s PIN code. Starbug presented his discovery at
the Biometrics 2015 conference in London.

… HP, IBM and
Quantum, the companies behind LTO, have confirmed
that next gen cartridges will offer up to 15TB of compressed data
storage, and published the specifications for third part
manufacturers.

And it's not just LTO tape technology that is
seeing an explosion in capacity: last year Sony announced
tape technology that could result in tape cartridges with a capacity
of 185TB, while in April IBM and Fujifilm demonstrated
new technologies that cram 123 billion bits in a square inch of tape,
equivalent to an LTO tape cartridge holding 220TB.

This is more than an academic exercise for his
company. He deals with cloud storage and currently stores exabytes
(EB) of data on millions of hard disk drives (HDDs) for his cloud
storage. When he began in 2007, the company used four 750 GB HDDs
inside 1u servers.

It started off at a decent pace a
month ago with regular newsworthy statements and events making
the headlines, but his week the extradition hearing of Kim Dotcom
appeared to drop into a much lower gear.

The hearing, which will determine whether Kim
Dotcom, Mathias Ortmann, Finn Batato and Bram van der Kolk are
extradited to the United States, got underway in September. However,
legal argument has persistently bogged the hearing down, with
repeated
claims by the defendants that the U.S. government is doing
everything possible to prevent them from engaging in a fair fight.

… After claiming that the U.S. seizure of the
defendants’ funds made it impossible to hire expert witnesses in
the United States, Dotcom’s lawyer Ron Mansfield asked the court to
consider
submissions as to why the case should be paused or even thrown
out altogether.

While those have been underway for some days now,
according to 3News
lawyers for Dotcom and his former associates are now expected to make
further submissions on additional points. Allowing for a response
from the Crown, that process could take several more weeks to
complete.

… lawyer Grant Illingworth, who represents
Mathias Ortmann and Bram van der Kolk, was present today. He warned
the court that the U.S. interpretation of extradition law threatened
to make Judge Nevin’s considerations almost irrelevant.

“[The U.S. is seeking to] reduce your honor’s
role to a mere rubber-stamping exercise. The US [approach] would
render the extradition process largely meaningless,” he told
the Judge.

… Along with reported computer breaches of a
French TV network and the White House, a number of attacks now being
attributed to Russian hackers and some not previously disclosed have
riveted intelligence officials as relations with Russia have
deteriorated. These targets include the Polish stock market, the
U.S. House of Representatives, a German steel plant that suffered
severe damage and The New York Times.

U.S. officials worry that any attempt by the
Russian government to use vulnerabilities in critical infrastructure
like global stock exchanges, power grids and airports as pressure
points against the West could lead to a broader conflict...

I think we need to create a Best Practices guide
for organizations (and their lawyers).

In the immediate aftermath of a security
breach, companies should ensure they don’t use weasel words and
have in place strong internal communications and clearly-defined
staff guidelines, according to Atlassian head of security
intelligence Daniel Grzelak.

Read more at ITNews.
Why? Because I actually agree with pretty much everything he
advises, and if more companies took his advice, there’d be a lot
less snark on my blog. [and
on mine! Bob]

(Related) But this is not always possible.
Consider hiding it in other news like Target did by announcing their
breach on the day President Obama was inaugurated. It almost worked!

A recent
study goes a step further, suggesting that if handled well a data
breach can actually help the bottom line. This counter-intuitive
conclusion, conducted by Sebastian Gay at the University of Chicago,
is based on data from breaches occurring between 2005-2014. The
paper finds that “firms manage to avoid the full negative effect of
a privacy breach event disclosure by releasing on the same day an
abnormal amount of positive news to the market.” In other words,
sometimes companies have maintained a store of “good news” that
they bundle together and release at around the same time that they
disclose a data breach, which not only offsets the negative effect of
the bad news of a data breach, but actually increases the bottom
line.

Hillary Rodham Clinton’s e-mail scandal
didn’t stop the head of the CIA from using his own personal
AOL account to stash work-related documents, according to
a stoner high-school student who claims to have hacked into them.

CIA Director John Brennan’s private
account held sensitive files — including his 47-page application
for top-secret security clearance — until he recently learned that
it had been infiltrated, the hacker told The Post.

Other e-mails stored in Brennan’s
non-government account contained the Social Security numbers and
personal information of more than a dozen top American intelligence
officials, as well as a government letter about the use of “harsh
interrogation techniques” on terrorism suspects, according to the
hacker.

Read more of this report by Philip Messing, Jamie
Schram and Bruce Golding on NY
Post.

The twitter accounts being used to disclose the
hack, @phphax (“Cracka”) and @_CWA_ are still online this
morning, as are files purporting to be Brennan’s email contact list
and call logs of Avril Haines, the White House Deputy National
Security Advisor.

Assuming, for now, that these reports are
accurate, I’m not sure what this will do to the brouhaha over
Clinton’s private email server.

[From
the Post article:

… The FBI and other federal agencies are now
investigating the hacker, with one source saying criminal charges are
possible, law enforcement sources said.

“I think they’ll want to make an example out
of him to deter people from doing this in the future,” said a
source who described the situation as “just wild” and “crazy.”

“I can’t believe he did this to the head of
the CIA,’’ the source added. “[The]
problem with these older-generation guys is that they don’t know
anything about cybersecurity, and as you can see, it can be
problematic.”

Confusing. How will they differentiate between
“nation-state” and “teenager working for a nation-state?” Is
this a small/medium/huge problem?

According
to the social network, users will be informed on any suspected
compromise from an attacker believed to be working on behalf of a
nation-state. The company is already monitoring accounts for
potentially malicious activity while offering users the possibility
to proactively secure their accounts, and the new security measure is
building on this foundation.

In
addition to a warning on the possible malicious activity, Facebook
will provide users with the possibility to turn on Login Approvals,
which would ensure that third-parties cannot login into a user’s
account. As soon as the account is accessed from a new device or
browser, the user receives a security code on the phone, so that only
they could login.

Alex
Stamos, Chief Security Officer at Facebook, explains in a blog
post that the warnings are not being sent out because Facebook's
platform or systems have been compromised, but that user’s computer
or mobile device might have been infected with malware.

Interesting. I can neither confirm nor deny...
Mathematically, this might not be as difficult as you might think.

There have been rumors for years that the NSA can
decrypt a significant fraction of encrypted Internet traffic. In
2012, James Bamford published an
article quoting anonymous former NSA officials stating that the
agency had achieved a “computing breakthrough” that gave them
“the ability to crack current public encryption.” The Snowden
documents also hint at some extraordinary capabilities: they show
that NSA has built extensive infrastructure to intercept and decrypt
VPN traffic and suggest that the agency can decrypt at least some
HTTPS and SSH connections on demand.

However, the documents do not explain how
these breakthroughs work, and speculation about possible backdoors or
broken algorithms has been rampant in the technical community.
Yesterday at ACM CCS, one of the leading security research venues, we
and twelve coauthors presented a
paper that we think solves this technical mystery.

… For the nerds in the audience, here’s
what’s wrong: If a client and server are speaking Diffie-Hellman,
they first need to agree on a large prime number with a particular
form. There seemed to be no reason why everyone couldn’t just use
the same prime, and, in fact, many applications tend to use
standardized or hard-coded primes. But
there was a very important detail that got lost in translation
between the mathematicians and the practitioners: an adversary can
perform a single enormous computation to “crack” a particular
prime, then easily break any individual connection that uses that
prime.

“As long as you are volunteering that data, you
won't mind if we copy it into our criminal database, right?” Have
we paid for DNA testing or have we agreed to add our DNA to their
database forever?

When companies like Ancestry.com and 23andMe first
invited people to send in their DNA for genealogy tracing and medical
diagnostic tests, privacy advocates warned
about the creation of giant genetic databases that might one day be
used against participants by law enforcement. DNA, after all, can be
a key to solving crimes. It “has serious information about you and
your family,” genetic privacy advocate Jeremy Gruber told me back
in
2010 when such services were just getting popular.

Now, five years later, when 23andMe
and Ancestry
both have over a million customers, those warnings are looking
prescient. “Your relative’s DNA could turn you into a suspect,”
warns Wired,
writing about a case from earlier this year, in which New Orleans
filmmaker Michael Usry became a suspect in an
unsolved murder case after cops did a familial genetic search
using semen collected in 1996. The cops searched an Ancestry.com
database and got a familial match to a saliva sample Usry’s father
had given years earlier. Usry was ultimately determined to be
innocent and the Electronic Frontier Foundation called it a “wild
goose chase” that demonstrated “the very real threats to
privacy and civil liberties posed by law enforcement access to
private genetic databases.”

… As NYU law professor Erin Murphy told the
New
Orleans Advocate regarding the Usry case, gathering DNA
information is “a series of totally reasonable steps by law
enforcement.” If you’re a cop trying to solve a crime, and you
have DNA at your disposal, you’re going to want to use it to
further your investigation. But the fact that your signing up for
23andMe or Ancestry.com means that you and all of your current and
future family members could become genetic criminal suspects is not
something most users probably have in mind when trying to find out
where their ancestors came from.

“It has this really Orwellian state feeling to
it,” Murphy said to the Advocate.

If the idea of investigators poking through your
DNA freaks you out, both Ancestry.com
and 23andMe have options to delete your information with the sites.
23andMe says it will delete information within 30 days upon request.

This could cause a few problems. Imagine schools
introducing technology that does a good job teaching students but
fails to meet the state's standards. They buy the technology and
then most of their students won't use it.

The homework assignments, essays, musings
and instant messages today’s students are entering into educational
websites and applications would be subject to new data privacy
standards under legislation introduced today in Harrisburg.

State Rep. Dan Miller, D-Mt. Lebanon, and
Tedd Nesbit, R-Grove City, have introduced two-bills that would stop
short of outlawing controversial data practices, but would require
that districts inform parents if they use technology that doesn’t
meet the standards, and allow students to opt out.

Most of the vendors had no provision for deleting
unneeded student data or protecting it in a corporate acquisition or
bankruptcy sale, and only a tiny minority pledged to notify schools
in the event of a data breach.

I don't see this as a problem for quite some time.
(Except for TV game shows)

A couple of weeks ago James Gross, co-founder of
Percolate, had me speak at their
Transition conference.
I talked about Carlota Perez, her theories, and the transition to
the deployment period that we are currently undergoing. The talk, as
I remember it, (plus some stuff I had to cut for time) is below.
I’ve also added some additional material as sidenotes.

Perez’
theory describes the path a technological revolution, like the
Industrial Revolution, takes and the social, economic and
institutional changes that go along with it. The jury is
still out on the theory, and there are plenty of reasons to doubt it.
But if it successfully predicts what happens over the next ten years
it will have in good part proved its power.

“Google searches are like a stream of
consciousness. We plug every idle curiosity, every thought, and
every question into the search engine. Google has always kept
careful record of these searches, which helps sell ads. But Google
also keeps an audio log of the questions you ask its voice search
function, OK Google, and now you can listen to those recordings
online. Back in June, Google launched a new portal for all Google
account-related activities. It’s where you can manage your privacy
settings, see what you’ve searched for, and where Google has logged
your location. The Guardian pointed
out Oct. 12 that these archives include a section for voice
searches, and it’s a little unnerving to listen to every silly
thing you’ve asked since the service launched…”

Note to self and others – everything you
say and do via digital devices is collected – by various
organizations for reasons ranging from marketing to surveillance.
We have automatically been opted-out of “privacy.” And it is
always a good idea to seek the assistance of a Librarian – in
person is a bonus – we listen to and respond to questions on a
mind boggling range of issues, with expertise, and without an
agenda.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.